_index=security_logs _sourceCategory=fw_security "type=\"traffic\"" AND dstip*
  | keyvalue regex "=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" keys "dstip"
  | where dstip not in ("10.*", "172.[16-31].*", "192.168.*")
  | lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://default on ip = dstip
  | where country_name in ("Turkey","Brazil","India","Italy","Hungary","Romania","Ukraine","Taiwan","Thailand","Indonesia","Vietnam","Saudi Arabia","China","Russian Federation","Philippines","South Africa")
  | timeslice 5m
  | count by _timeslice,country_name
  | transpose row _timeslice column country_name as *